Hybrid View

Considering all the false positives...

... and the havoc they are wreaking on people's computers, and the fact that when ZA quarantines something, restoring the files from quarantine is not enough, since ZA seems to de-register the file when it quarantines it, and maybe not all of us know how to restore that registry setting and maybe we can't necessarily restore the system...

Shouldn't we all just choose to have ZASS 'report only' when it perceives a problem? (That's with &quot;Alert me, do not treat automatically&quot; for the AV and the check removed from the box to treat automatically in the antispyware part.) ZASS is not the first security software to have false positives and, personally, I won't even use security software if it doesn't provide the option for me to decide what I want it to do with a file before it does anything. I did have the antispyware set to treat automatically until this latest rash of problems (involving people's monitors). Somehow my AS didn't flag these files, so I was lucky there, but I'm not giving ZASS another chance to wipe out legitimate files. I've already lost a system file for good to a false positive, and fortunately it's not one that I've needed so far.

Yes, it's more work to have to second guess everything ZASS does, but it's the same with any security software, false positives happen. And looking something up and verifying it first is probably easier than trying to get back something that's been lost for good.

Just my 2 cents. :-) Happy computing, folks. I appreciate everyone who has written here to share their experiences and knowledge. It is a great help.

Re: Considering all the false positives...

I think the best setting is quarantine. Then check it out and see if it is a false positive. This way, if it something evil, it is contained amd stopped and if it is a false positive, it can always be released. Safe and no harm can be done either way.

Lost files should be recovered in a system file check. That will work for the OS files. Lost files from supported software should be recovered by re-installs. Or if there are two machines, then copy from one PC and place in the other PC.

If it is a virus scan detection and a suspected false positive, then send it to :

newvirus at kaspersky.com and zip the file and password protect it and include the password in the e-mail.

If it is a spyware scan detection and a suspected false positive , then send it to:

Actual files can be uploaded to sites for antivirus scanning. The advantage is the site usually has many scanners to check at the same time. Many scanners means a better detection. Two can be found here >

Posting at forums such as here, the Zone Alarm forum or other security forums is always a good approach. There are others who have seen the same thing or users who will be able to help in reaching a proper solution or users who can be certain to say if the detection is correct or wrong just by the name/ file location alone.

Re: Considering all the false positives...

Re: Considering all the false positives...

OK, I have what I strongly suspect is a false positive.
After searching the forum, your posting looked like the most useful I've seen here.
This isn't the first time this has happened, previously it was just impacting games downloaded via Steam.
I couldn't find any recourse and gave up, life moved on.
Then it started hitting the odd and occasional system file.
Today this is hitting me where it hurts.
The file quarantined was &quot;C:\Program Files\Native Instruments\Pro-53\DXi\Pro-53DXI.dll&quot;.
If you're not familiar with them, Native Instruments manufactures high-end software-synths that are usable as stand-alone synths and as plug-ins to other programs, mainly composition tools.
Zone Alarm identified it as Trojan-Downloader.Win32.bagle.jc.
A quick search of Kaspersky's site gives me the clue that one of their analysts is jumping all over trying to keep up with creating new definitions to combat new variants.
OK, so I'm a victim of &quot;minor&quot; collatoral damage in this war: my computer still runs.
There are two possibilities here:
(1) The trojan infected my computer and ZA failed to find several other instances of DLLs it has infected, only finding this one.
(Implausible, IMSHO.)
(2) Zone Alarm possibly damaged the file during its &quot;attempted repair&quot;, found it still didn't like the file, and then quarantined it.
I'd love to file this off to Kaspersky using your directions, only I now cannot find the file.
I can't locate any &quot;quarantined&quot; (or similar) directory in the &quot;C:\Program Files\Zone Labs\&quot; tree, and I find that the folder &quot;C:\Program Files\Native Instruments\Pro-53\DXi&quot; has been emptied (presumably its contents removed to the &quot;quarantined&quot; folder I can't find).
I can find the option to un-quarantine the files.
What I also find is that immediately after restoring the file, Zone Alarm re-quarantines it as soon as I try to zip it.
Any suggestions?

Re: Considering all the false positives...

<BLOCKQUOTE><HR>random9q wrote:
Any suggestions?
<HR></BLOCKQUOTE>Yep. always better to create a new message than attaching a response to an existing one. Since it will not be easy to find by most users...
<BLOCKQUOTE><HR>random9q wrote:
I can find the option to un-quarantine the files. What I also find is that immediately after restoring the file, Zone Alarm re-quarantines it as soon as I try to zip it.<HR></BLOCKQUOTE>please go to ZA antivirus/antispyware tab --&gt; Advanced options ---&gt; Virus Management --&gt; Automatic Treatment and select "Alert me - do not treat automatically".Now restore the quarantine and when you get a pop-up windows from ZA just select "ignore always" from the list of proposed actions.Now you can upload the file to www.virustotal.com to have the files scanned by more than 30 AV engines. If it is confirmed that is a false positive, than send it to newvirus at kaspersky dot com in a password protected zip. Subject: false positive. Remember to include the password in the e-mail.Hope this helpsCheers,Fax